1. What are the dangers of someone knowing your IP Address?

What are the dangers of someone knowing your IP Address?

Every device that connects to the internet has an IP (Internet Protocol) address.

They’re needed for devices talk to each other and exchange data.

Your IP address may look like

  • – for IPv4 
  • 2001:4860:4000:4uh5:b2fw:0000:8e5d:6432 – for IPv6

– depending on how modern your equipment is.

TIP: Want to know what you IP Address is – check out What is my IP?

But what are the dangers of someone knowing your IP address – and should you hide it?

Denial of Service attack

If someone knew you IP address – they could perform a Denial of Service attack on your router.

This will flood your connection so that your internet stops working – or at best just slows down to a crawl.

This also affects your ISP (Internet Service Provider) – so fortunately most will have systems to detect and manage Denial of Service attacks in their network.

However, these attacks require resources and run the risk of the attacker getting caught and in trouble with their ISP and the law – so fortunately they’re not often directed at home internet connections.

Discover your location

There are online databases which show the geographic location of IP addresses.

Someone with your IP address could uses these to discover your location.

In most cases, these only show your city and state – but this information could be enough to narrow down your identity – such as the school you go to.

Report your IP address as “bad” to websites and services

Some websites, like AbuseIPDB, list “bad” ip addresses – which have been used for hacking, spam and other abusive activity on the Internet.

Someone with you IP address could report it as “bad” – even without you doing anything wrong.

Do this enough times and you’ll have troubles accessing websites which block “bad” IP addresses.

Report your IP address to law enforcement

Taking things a step further – someone with your IP address could also report it as “bad” to law enforcement.

This is unlikely to be taken seriously without evidence – but it still may attract unwanted attention.

Can I be hacked using my IP address?

No – at least least it’s extremely unlikely.

For this to happen you would have to have an existing vulnerability – such as an unsecured router with a default password or open ports.

Fortunately this is extremely rare. Modern routers are designed with security in mind – for example making you set a password before it can be used. And ISP’s often use a firewall to help protect your connection.

Should I hide my IP address?

Sometimes – depending on what you’re doing.

For example, if you’re doing Internet banking you would NOT want to hide your IP address – as you want to have a “clean” connection to the bank. But if you’re browsing websites you don’t trust – YES you should consider hiding your IP address.

The best way to do this is using a VPN – such as Private Internet Access.

Private Internet Access is a highly trusted VPN service which:

  • hides your IP address
  • gives you access via 46 countries – further hiding your location
  • is the only proven no-log VPN service in the world!

I’ve used Private Internet Access for several years and highly recommend them – they offer extreme value for money with prices from $4.42/month.

Passwords for keeps – Microsoft removes password expiration Windows 10 security baseline

Password expiration is a common practice in enterprise environments – requiring users to regularly change their passwords.

This practice was sold as a security measure – however changing a password which is not compromised does not add any security – if anything it encourages to write down their for ever changing passwords. Continue reading “Passwords for keeps – Microsoft removes password expiration Windows 10 security baseline”

doing_it_wrong – 8 common WordPress mistakes

Since its initial release in 2003, WordPress has become the most popular CMS – powering an estimated 30% of all websites online.

This massive achievement has a lot to do with it’s flexibility, ease of use and amazing community of contributors.

But with the such possibilities also comes mistakes.

In this article I will discuss common WordPress mistakes and how to prevent them.

1. Installing too many plugins

Thanks to the popularity of WordPress and the massive community there are more than 50,000 plugins available for free to customise your website.

The temptation may be to install a plugin for every function or issue – but this approach comes with problems.

Often people will talk about having too many plugins will slow down your website. This isn’t necessarily true – because each plugin could be a single line or code or a mammoth bigger than WordPress itself.

But the plugins introduce complexity. 

Before installing a plugin, consider

  1. whether the functionality can be achieved easily with out it
  2. if the plugin introduces too many other unnecessary features – this typically means bloat
  3. would it be easier or more reliable to use your own custom code.

2. Editing theme code

I’ve never seen a plugin that is perfect as soon as its installed.

Many plugins let you customise colours, fonts and add widgets – but often there’s the need to add your own HTML or CSS.

If you edit the theme’s code you may get the desired result – but either you never update the theme again (BAD IDEA !!) or when you update you loose your changes.

Instead you should be creating a child theme for theme customisations. This way you can clearly see what customisations have been applied and update the main “parent” theme.

3. Not backing up

Backups are something you never want to use but you always want to have.

Backups are important – particularly before installing a new plugin or update – but also as regular weekly updates.

Don’t trust your hosts backups. I recommend using a plugin like UpdraftPlus and backing up to an external location such as a Google Drive.

4. Not updating PHP version

WordPress uses the PHP server-side scripting language.

PHP has seen some massive updates over the years – with version 7.0 and above introducing significant performance gains.

But surprisingly the majority of WordPress sites are using version 5.6 (as of December 2018).

You can (temporarily) use the Display PHP Version plugin to check which version of PHP you currently have. If it’s less than 7.0 you should check with your website host for how to update.

5. Using cheap host

The cheap hosting offer is almost always too good to be true.

Cheap hosting tends to be lack important features, have poor support and more importantly be slow -which is critical for the user experience.

The longer a page takes to load the more likely the user will give up and go elsewhere. A two second load time is a good goal – but less is definitely better.

There are many hosting options – research is important and steer away from the cheapest. The typical good entry level host will offer cPanel management and phone support.

6. Unnecessary plugins and themes

Each plugin or theme adds complexity to your website, takes up space and is  a potential security hole.

If you don’t use it any more – uninstall it. Don’t just deactivate it – even if plugin or theme is not active it may still be a security hole.

There is one exception – make sure you have a second theme installed – because if your main theme fails WordPress will roll back to the second.

7. Weak passwords

Unless you’ve implemented additional security to protect your WordPress login page (and API end points) – there will be hackers and bots attempting to guess your passwords.

I highly suggest using randomly generated passwords of 16 or more characters and a password manager such as LastPass.

8. Giving administrator access to all

If you have multiple people contributing to your website – consider giving them the least amount of access to do their job.

Not all users will need administrator access – but if they do have administrator access, they (or anyone that knows their password) can completely turn your website upside down.

Editor level access is suitable for most authors. 

Other access levels include:

  • Administrator – somebody who has access to all the administration features within a single site.
  • Editor – somebody who can publish and manage posts including the posts of other users.
  • Author – somebody who can publish and manage their own posts.
  • Contributor – somebody who can write and manage their own posts but cannot publish them.
  • Subscriber – somebody who can only manage their profile.

How secure is WordPress?

WordPress is fundamentally a secure platform which is constantly supported and updated by thousands of developers.

When properly installed WordPress is secure. But like any other system, there are points of vulnerability.

What are the biggest risks?

The code you run

Your WordPress website is only as secure as the code you run.

The plugins and themes you install all add risk to the security of your WordPress website.

To reduce this risk only install plugins and themes from trusted sources.

The WordPress plugin directory is (mostly) a safe bet as well as big name premium plugins such as Gravity Forms. For other plugins look for a lot of active installed (1000+) and positive feedback.

If you want to go a step further you could pay for a security audit, such as the Wordfence Site Security Audit.

Not installing updates

Security issues are discovered fairly often – it’s part of the benefit of an open-source project like WordPress. People are actively checking and fixing issues.

But to benefit from these updates you need to keep WordPress as well as your plugins and theme updated.

By default WordPress will automatically install minor updates (e.g. 5.0.0 -> 5.0.1) to WordPress itself – but does not install:

  • updates plugins
  • updates to themes
  • major WordPress updates  (e.g. 4.9.8 -> 5.0.0).

I recommend using Companion Auto Update to manage updates – making sure these are also automatically installed.

Weak passwords

I find the term “password” isn’t very useful when it comes to security – because if your password is one or more words it’s not good enough!

Instead create a “pass-phase” such as a poem or song lyric. Length is the important – the longer it is the harder to brute force (guess) the password.

Or even better use a password manager such as LastPass and randomly generated passwords of 16 or more characters.

What if something goes wrong?

Always keep a current backup of your website – I recommend using a plugin like UpdraftPlus and backing up to an external location such as a Google Drive. The backup may be needed to either restore or find the infected code.

If your website is compromised you need to:

  1. get access to the site – this may mean resetting an administrators password
  2. find the infected code
  3. clean the infected code
  4. remove any changes made – for example, changes to your posts or additional backdoor scripts

This can be quite a complicated process. Fortunately Wordfence offer a WordPress site cleaning service if you want experienced professionals to do it.